oss-sec mailing list archives

Re: CVE request - kernel: information leak in sigaltstack

From: Eugene Teo <eugene () redhat com>
Date: Wed, 05 Aug 2009 10:05:55 +0800

Eugene Teo wrote:

do_sigaltstack: avoid copying 'stack_t' as a structure to user space

Ulrich Drepper correctly points out that there is generally padding in
the structure on 64-bit hosts, and that copying the structure from
kernel to user space can leak information from the kernel stack in those
padding bytes.

Avoid the whole issue by just copying the three members one by one
instead, which also means that the function also can avoid the need for
a stack frame. This also happens to match how we copy the new structure
from user space, so it all even makes sense.

Upstream commit:
http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=515392


Reproducer:
http://milw0rm.com/exploits/9352

Thanks, Eugene

Current thread:

CVE request - kernel: information leak in sigaltstack Eugene Teo (Aug 03)
- Re: CVE request - kernel: information leak in sigaltstack Eugene Teo (Aug 04)
- Re: CVE request - kernel: information leak in sigaltstack Steven M. Christey (Aug 18)
  - Re: CVE request - kernel: information leak in sigaltstack Solar Designer (Aug 25)